Minio: Multiple ldap username formats should allow users with different DNs to login
When configuring multiple username formats via MINIO_IDENTITY_LDAP_USERNAME_FORMAT, all logins start to fail for users that don't match (and bind to LDAP via) _all_ formats.
Expected Behavior
When setting up Minio to use LDAP for authentication, we configure:
export MINIO_IDENTITY_LDAP_USERNAME_FORMAT='CN=%s,OU=People,DC=example,DC=com;CN=%s,OU=Tools,DC=example,DC=com'
Once setup and running, both bob (CN=bob,OU=People,DC=example,DC=com) and reporting (CN=reporting,OU=Tools,DC=example,DC=com) should be able to authenticate against Minio and retrieve the files they have access to.
Current Behavior
With the above configuration, neither bob nor reporting can login, with the Minio logs showing LDAP Invalid Credentials errors.
If we change the configuration to:
export MINIO_IDENTITY_LDAP_USERNAME_FORMAT='CN=%s,OU=People,DC=example,DC=com'
then bob can login just fine, while reporting cannot. And if we swap the configuration to:
export MINIO_IDENTITY_LDAP_USERNAME_FORMAT='CN=%s,OU=Tools,DC=example,DC=com'
then reporting gets access, but bob is rejected.
Possible Solution
We traced the problem to config.go:L165, where it looks like the connection attempt is failed if a given username does not successfully bind using _all_ the available formats.
A solution would be to only fail the connection attempt if the username doesn't manage to bind with any of the available formats.
Steps to Reproduce (for bugs)
- Setup Minio to use LDAP as authentication
- Configure MINIO_IDENTITY_LDAP_USERNAME_FORMAT with multiple formats
- Create one user for each of the above formats
- Attempt to authenticate against Minio
We use the following Python code to access Minio
import requests
from xml.etree import ElementTree as etree
def get_credentials(endpoint, username, password):
params = {
"Action": "AssumeRoleWithLDAPIdentity",
"LDAPUsername": username,
"LDAPPassword": password,
"Version": "2011-06-15",
}
r = requests.post(endpoint, params=params, verify=False)
credentials = {}
content = r.content
root = etree.fromstring(content)
ns = {"ns": "https://sts.amazonaws.com/doc/2011-06-15/"}
et = root.find("ns:AssumeRoleWithLDAPIdentityResult/ns:Credentials", ns)
for el in et:
_, _, tag = el.tag.rpartition("}")
credentials[tag] = el.text
return credentials
Context
We keep human accounts in a separate OU to our tools/automation accounts, but we would like both to be able to access Minio. At the moment, that only seems possible if accounts are duplicated in both OUs, which would not be ideal
mikevink
All 4 comments
I have not understood why to impose a format when the simplest thing to do is to authenticate with a service user to look for the dn of the username entered and then use the dn found to authenticate.
fdefilippo
on 23 Jul 2020
@fdefilippo I think what you are looking for there is on these two tickets https://github.com/minio/minio/issues/9178 https://github.com/minio/minio/issues/9593
timhughes
on 27 Jul 2020
Is there any ETA on having LDAP updated with either a specific bind (service account) user or a modification to allow sAMAccount names to be used? This is a major blocking feature from easy widespread AD integration.
tkg61
on 4 Dec 2020
Is there any ETA on having LDAP updated with either a specific bind (service account) user or a modification to allow sAMAccount names to be used? This is a major blocking feature from easy widespread AD integration.
No ETA yet @tkg61
harshavardhana
on 4 Dec 2020
Related issues
maltefiala
路
3Comments
blacktop
路
4Comments
arjitc
路
4Comments
fkautz
路
4Comments
counterbeing
路
5Comments
Most helpful comment
I have not understood why to impose a format when the simplest thing to do is to authenticate with a service user to look for the dn of the username entered and then use the dn found to authenticate.